Insecure password practices are exploited in 81% of cyber attacks worldwide, and 61% of all attacks target businesses with less than 1,000 employees.1 While employee education and training can help, what’s most needed to reverse this trend is for authentication to require additional proof of identity beyond simple username and password, and to be widely deployed by all companies – no matter their size. Only then, will cyber criminals no longer be able to use stolen credentials to access and infect systems or steal data.

Are employees undermining company security with shared passwords?

Most employees are not intentionally trying to compromise company security; however you should ask yourself what password practices they now use to cope with the proliferation of online accounts requiring them. According to an often-quoted study by Microsoft Research, “The average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day.”

A 2015 Dashlane survey revealed that each person had over 90 online accounts, and had to reset their password using a “forgot password” link for 37 of those accounts in the prior year. Companies that require frequent resetting of passwords make it even harder for users to craft strong passwords and then later recall them. In this environment, it’s understandable that users have simplified their passwords – creating ones that can be serialized – and limiting them to a few that are used across multiple accounts.

1 Verizon’s 2017 Data Breach Investigations Report

This trend is evident when viewing the list
of worst passwords used:

For businesses, as employees use simpler and weaker passwords – this puts networked resources at a greater risk for breach. Even worse, when an employee’s credentials are stolen from other sites and the credentials happen to contain the same password that gives them entry to your privileged networks, then the hackers can walk right in the front door masquerading as the user…and you are none the wiser.

We’ve reached the limit of the protection that solely password-based access to systems can provide. What’s needed are additional measures to ensure the identity of the user…which is what multi-factor authentication (MFA) provides.

How are hackers stealing credentials?

Given that usernames and passwords are often the only hurdle to accessing systems that yield financial rewards, hackers have taken a keen interest in lifting them when they can. Some common ways to compromise this information include:

Phishing/Spear-Phishing: Criminals use email to try to get users to enter credentials into web pages or forms. It will look convincingly like an email from a person or business that the user has a relationship with, and sometimes will be very targeted at a specific individual (spear-fishing) who is perceived to have a great deal of privileged system access.

Brute Force: With simpler passwords coming back into use, criminals will try common passwords until they find one that works. They’ve even written automated scripts that circumvent simple protections such as a limit on the number of authentication attempts within a certain time window. Remember, for businesses without MFA, they just need any single username/password combination to work.

Wi-Fi Evil Twin: Using an easy-to-find $99 device, criminals can sit in a crowded area and pretend to be a legitimate Wi-Fi hotspot. When people connect, then the criminal is effectively a MitM (man-in-the-middle), observing network traffic and even the keystrokes of a user while connected. Studies have shown that people regularly check bank accounts, shop online, and yes, even access company networks, while on public Wi-Fi.

Once they have valid credentials, they will use them to access systems and steal data, consume resources with botnets, install ransomware, and even steal more credentials that might unlock other networks and personal data.

Three school districts have been hit by ransomware in North Louisiana this week.

Louisiana Governor John Bel Edwards has activated a state-wide state of emergency in response to a wave of ransomware infections that have hit multple school districts.

The ransomware infections took place this week and have impacted the school districts of three North Louisiana parishes — Sabine, Morehouse, and Ouachita.

IT networks are down at all three school districts, and files have been encrypted and are inaccessible, local media outlets are reporting.

This is the second time that a state governor has activated a state emergency due to ransomware or any form of cyber-attack. The first time was in Colorado in February 2018, when the Colorado Department of Transportation was forced to shut down operations because of an infection with the SamSam ransomware. However, that state emergency activated additional state resources to help with traffic, road management, and transportation, and not with deploying cyber-security experts to help victims, like in Louisiana’s case.

By signing the Emergency Declaration, the Louisiana governor is making available state resources to impacted schools.

This includes assistance from cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services, the Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP), and others.

State officials hope that additional IT expertise will speed up the recovery process so schools can resume their activity and preparations for the upcoming school year.

Gov. Edwards was able to roll out a coordinated response for the ransomware infections at schools in the North Louisiana because he previously established a Cybersecurity Commission to assemble and coordinate response teams in the event of a cyber-attack.

He created this commission in December 2017, in the year when three ransomware outbreaks — namely WannaCry, NotPetya, and Bad Rabbit — had caused havoc across the globe, including in Louisiana.

“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat,” Gov. Edwards said.

The state of emergency will remain in place until August 21, or until the recovery process at impacted school districts wraps up.

Gulf Coast neighbor Florida could have used a state of emergency declaration last month, as well, after three municipalities were hit by ransomware — Riviera Beach (paid $600,000); Lake City (paid $500,000); and Key Biscayne (recovered from backups).

In recent months, US cities have been a prime target for ransomware gangs. Earlier today, some residents of Johannesburg, South Africa’s biggest city and financial capital, have been left without electricity after a ransomware infection.

More than 500 patient medical records and other sensitive information were exposed in potential data breaches at Summa Health in August and March.

Summa Health announced Friday that it was sending letters to patients who were potentially affected by what the Akron-based health system called an “email phishing incident” that targeted Summa employees.

Email phishing is a term that describes when a person clicks on an email that looks legitimate and asks the person to input sensitive information. The email phishing could be the way a data breach occurs.

Summa said after its investigation, experts were unable to determine whether information such as medical records, treatment information, dates of birth and for a small subset of patients, Social Security and driver’s license numbers, contained in employee emails were viewed by the unauthorized people.

Summa said it was mailing letters to affected patients starting Friday, establishing a dedicated call center and offering free credit monitoring and protection services. It could take several weeks for the letters to arrive, spokesman Jim Gosky said.

Gosky said the number of affected patients is more than 500.

Summa learned May 1 that “an unauthorized person gained access to a limited number of employee email accounts that contained patient information,” according to a news release from the health system. Two accounts were accessed in August and two other accounts were accessed between March 11 and March 29.

Summa said it made sure the accounts were secured and began an investigation, including hiring a computer forensic firm. “The investigation was unable to determine whether the unauthorized individual actually viewed any email or attachment in the accounts,” Summa said.

Officials said “out of an abundance of caution, Summa Health thoroughly reviewed every email and attachment in the accounts to identify patients whose information may have been accessible to the unauthorized person. Patient information was identified in the accounts, including patient names, dates of birth, medical record or patient account numbers, and clinical and/or treatment information. For a small subset of patients, health insurance information, Social Security numbers, and/or driver’s license numbers were also found in the accounts.”

Summa said it was recommending patients review the statements they receive from their health care providers and health insurers. If there are unrecognizable services, contact the provider or insurer immediately. For eligible patients whose Social Security number or driver’s license number was found in the email accounts, Summa Health is offering complimentary credit monitoring and identity protection services. The details will be in the letter.

“Summa Health remains committed to protecting the confidentiality and security of its patients’ information. To help prevent something like this from happening in the future, Summa Health is reinforcing employee training on privacy and security and is instituting additional security measures throughout the health system,” the health system said.

A small Florida city paid an extraordinary $600,000 in ransom this week to hackers who had locked up the city’s computer systems — highlighting an increasingly common dilemma for city leaders across the country.

Cities have been hit with an increase in ransomware attacks in recent years since tight budgets have left them with outdated and hackable computer systems. But paying the ransoms to reverse the attack means putting money — taxpayer money — into the hands of nefarious hacking groups who probably will use it to target other victims.

If they refuse to pay up, though, they could be saddled with an even bigger bill to get their cities back online. And they may have to deal with lasting consequences — like in Baltimore, where city leaders decided against paying the ransom and still hasn’t restored all its city services six weeks after a devastating attack.

“When you pay the ransom, you’re making the bad guys better,” says Allan Liska, a threat intelligence analyst at cybersecurity firm Recorded Future. “But, from a strictly business perspective, sometimes you have to pay the ransom because the cost of not paying it is going to be much, much more.”

But cities, of course, are not just businesses – they have citizens who don’t want their tax dollars wasted and leaders who want to get re-elected.Given there are taxpayer costs to either choice, this is both a practical and moral question for city leaders.

Not to mention, there could also be career and electoral consequences for city officials who don’t stand up to bad guys. “No politician wants to go on record as having paid a ransom to a cybercriminal,” Liska said.

Already on Thursday, the payout had registered in Washington, where Sen. Marco Rubio (R-Fla.) said he’s working on ways the federal government can help.

A study from Recorded Future found that cities are actually slightly less likely to pay off ransomware hackers than other victims. Just 17 percent of the cities struck with ransomware in the study paid compared with about 45 percent of ransomware victims overall.

That figure could change, though, as city officials draw lessons from major ransomware attacks in cities that didn’t pay. In Baltimore, officials expect to pay about $18 million after refusing to pay a ransom demand of just about $70,000, and a 2018 attack in Atlanta cost the city about $2.6 million to recover from.

In the case of Riviera Beach, Fla., the city suffered through three weeks during which city workers couldn’t access their email accounts and emergency dispatchers couldn’t log calls into computers, my colleague Rachel Siegel reported. Ultimately, the city council voted unanimously to pay the hackers 65 bitcoin, which amounts to about $592,000.

Price tags like that are bound to make city officials think twice about whether they can refuse a ransom demand, Joe Hall, chief technologist at the Center for Democracy and Technology, told me.

“You’d think the incentive would be to pay as little as possible,” he said.

Ransom payments and ransomware recovery costs are sometimes covered by insurance, but insurance rarely covers all the costs and a big payout will raise cities’ insurance rates.

Another lesson cities are hopefully taking from the Baltimore, Atlanta and Riviera Beach examples, however, is that they should be better protecting their computer systems against hackers before the ransomware strikes, Tad McGalliard, director of research and policy at the International City/County Management Association, told me.

That includes installing basic protections such as guarding against phishing emails and requiring extra verification before people can access computer systems, he said. It also includes making sure that all the city’s vital records are backed up someplace offline where hackers can’t seize them and lock them up.

“We’re likely to see a continuing increase in ransomware attacks on local governments, but I hope we also see local governments taking note of this and doing everything in their power to bulk up their cyber defenses,” McGalliard said.

StorageCraft® OneXafe® is a converged data platform that unifies enterprise-class data protection with scale-out storage in an easy-to-use, configurable solution. For businesses looking to protect and manage their data in heterogeneous environments, OneXafe eliminates complexity and provides flexible deployment to accommodate various workload requirements. At the same time, it significantly reduces costs associated with primary and secondary storage as well as data protection software. By providing a converged solution, OneXafe removes the need for siloed point solutions and minimizes costs incurred from standalone hardware and software offerings. At the core of OneXafe is a patented distributed object-based file system that delivers universal data access by providing NFS and SMB access to users and applications. Data protection services are directly integrated into the distributed object store, delivering powerful backup and recovery, with a work flow optimized for simplified management. OneXafe tightly integrates with StorageCraft Cloud Services, with a single click it provides business continuity of data, network, and application recovery in StorageCraft’s Cloud. There are a number of configurable options available within OneXafe, from primary storage, to secondary storage, to enterprise-class data protection combined with secondary storage. It is seamlessly administered with OneSystem, our simple, intuitive, yet powerful management service. OneXafe enables ease of implementation for both powerful data protection and optimum scale-out storage.

Configuration:OneXafe includes a multi-purpose storage appliance that can be configured based on your business needs.

– High Performance Storage: Scalable storage for high performance unstructured data and backup targets. Can be configured to serve primary storage for virtual workloads, unstructured data, or secondary storage with high performance needs.

– Capacity Storage: Scalable storage for large scale unstructured data and backup targets. Can be configured to serve as secondary storage for your backup needs.

In the case of disaster, OneXafe ensures business continuity with a complete, orchestrated virtual failover to the cloud in one click, when used with our Cloud Services. OneXafe’s tight integration with the cloud makes recovery of the entire infrastructure simple, quick, and seamless, while offering the highest service level agreements (SLAs) with one throat to choke.

Enterprise Systems Corporation is an industry partner of StorageCraft® OneXafe® Solutions. Contact us today for more information.